ISO/IEC 27032:2012 — Information technology — Security techniques — Guidelines for cybersecurity
Officially, ISO/IEC 27032 addresses “Cybersecurity” or “the Cyberspace security”, defined as the “preservation of confidentiality, integrity and availability of information in the Cyberspace”. In turn “the Cyberspace” (complete with definite article and spurious CapitaL) is defined as “the complex environment resulting from the interaction of people, software and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form”.
Scope and purpose
In reality, despite the title, the standard is actually about Internet security. The first couple of lines give the game away:
“The focus of this document is to address internet security issues and provides technical guidance for addressing common internet security risks ...”
The standard does not directly address cybersafety (such as cyberbullying), cybercrime, Internet safety, Internet-related crime, protection of critical information infrastructure or cyberwar, although there are oblique references to these aspects.
Structure and content
The main sections are:
- Assets in the Cyberspace
- Threats against the security of the Cyberspace
- Roles of stakeholders in Cybersecurity
- Guidelines for stakeholders
- Cybersecurity controls
- Framework of information sharing and coordination
Annex A. Cybersecurity readiness
Annex B. Additional resources
Annex C. Examples of related documents
As defined, ‘the Cyberspace’ appears to mean a complex, highly variable or fluid virtual online environment, and hence it is hard to pin-down the associated information risks. While a variety of information risks are connected with ‘the Cyberspace’, many (such as network and system hacking, spyware and malware, cross-site scripting, SQL injection, social engineering, plus information security issues relating to “Web 2.0”, cloud computing and virtualization technologies that typically underpin virtual online environments and applications) could be classed as normal or conventional system, network and application security risks. In practice, the standard is largely concerned with information risks associated with the Internet, rather than ‘the Cyberspace’ per se. However, since these risks are already pretty well covered by other ISO or ISO/IEC information security standards, either published or under development, it is uncertain what information risks are truly unique to ‘the Cyberspace’. Risks to virtual assets belonging players of MMORPGs (‘Massively Multiplayer Online Role-Playing Games’) are mentioned in the standard but not directly addressed, for example. Frequent innovation in the realm of ‘the Cyberspace’ makes it especially tough to set international standards in this area and could itself be classed as an information risk, albeit again one not covered by the standard.
Section 7 of the standard distinguishes threats to personal and organizational assets, which appear to boil down to compromises of privacy/identity and corporate information, respectively: there are of course many information security standards covering both aspects. [For some obscure reason, section 7 also mentions threats to online governmental services and infrastructure including terrorism, although quite what these have to do with ‘the Cyberspace’ is unclear to me since I am not aware of any governments offering virtual environments or MMORPGs, unless perhaps ‘managing the nation’s economy’ is classed as a game!].
Status of the standard
The standard was published in 2012.
It is being revised (rewritten) with a new working title: “Information technology - Cybersecurity - Guidelines for Internet security”. It is due to be published in 2021.
The revised standard will:
- Explain the relationship between Internet security, web security, network security and cybersecurity;
- Give an overview of Internet security;
- Identify interested parties with roles in Internet security;
- Offer high-level guidance on addressing common Internet security issues;
- Refer to controls recommended in the forthcoming 2021 version of ISO/IEC 27002.
The revision is currently at 4th Working Draft stage.
Since 2012, “cybersecurity” has become a buzzier buzzword and yet the confusion over what it actually means persists - if anything it is even worse today. SC 27 has the opportunity in the revision project to clarify the terms and demonstrate global leadership with this and the other cybersecurity standards work now in progress.
I don’t understand the project team’s decision to “exclude the data privacy aspects” from the revision project. The revised standard is to cover “cybersecurity” but not “data privacy”?? Hmmmm.
The editors wryly note that the project team has drafted a revised scope for the standard, one that would need to be approved by SC 27:
“Internet security is concerned with protecting Internet-related services and related ICT systems and networks as an extension of network security in organizations and at home, to achieve the purpose of security. Internet security also ensures the availability and reliability of Internet services.”
‘Availability’ of Internet services is clearly already a core part of information security as the term is formally defined, while ‘reliability’ is a mix of integrity and availability, and again falls within the definition. Hence the second sentence is redundant. The first sentence indicates that the standard is merely an ‘extension of network security’. I am still hunting for evidence of any substantive extensions ...
Meanwhile, tucked away in the body of the 4th Working Draft, we find this little gem:
“Cybersecurity is similar to information security and many of the information security controls, methods, and techniques can be applied to manage cyber risks. Cybersecurity concerns managing information security risks when information is in digital form in computers, storage and networks. Cybersecurity deals with protecting Internet-connected systems including hardware, software, programs, and data from potential attacks. Many of these attacks are characterized by targeted and blended attacks with high degree of sophistication and persistence. The threats may be Internet-based and/or threats due to connectivity with other networks and systems within the organization or customer and service provider’s network to which it may be talking to during the normal course of business. Internet Security is a subset of cyber security dealing only with protection of systems accessing the Internet.”
Well blow me down with a feather. Perhaps someone should have a quiet word with the other cybersecurity standards teams ...
< Previous standard ^ Up a level ^ Next standard >